guoyang...@zgclab.edu.cn <guoyangfei=40zgclab.edu...@dmarc.ietf.org> wrote:
> The drafts' link are
> 1. https://datatracker.ietf.org/doc/draft-xu-erisav/} IPsec IKE negotiates the tag tagged in the packet. IKE also negotiates the } authentication algorithm, authentication key, and others specified by } SA. These will be stored in the SAD and SPD described in [RFC4301]. IPsec AH } [RFC4302] is the authentication header of the IPsec Security Architecture. It } authenticates the whole packet for integrity. However, source address } validation does not require such strong authentication. It just needs to } protect the source address from being spoofed. So it needs a new } authentication process. This new authentication process will only take a few } changeless fields as input. And the original tag will be seen as the } authentication key. The result of this process will produce a new label } called the packet signature that will be filled in the packet properly. And } this label or the SA MUST send to all the ASBR for communication. With what node does IKE negotiate? Where is the AH introduced? In IPv4, whether we can introduce new headers is up for debate. For IPv6, it is not. So I really don't know what to make of your proposal. If we could asymmetrically sign every packet with a new AH protocol that used an assymetric key, that would be awesome. I've wanted to do this forever, but it's just not affordable. What if we signed some small percentage (%0.01) of packets... would there be some way this could be useful for SAV? -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
